1

How are packets routed inside a single linux machine? Imagine the following setup:

      +--------------------+
      |  apache on         |
      |  192.168.1.30:80   |
      |    |               |
    +---+  |             +---+
    |en0|--/             |en1|    <------   packet to 192.168.1.30:80
    +---+                +---+
192.168.1.30/24       10.0.0.30/24
      |                    |
      +--------------------+

Apache is bound to 192.168.1.30

When sending a packet to 192.168.1.30, it is usually dropped. However, when one activates /proc/sys/net/ipv4/ip_forward, the packet is routed to the far IP. (Thanks A.B. for the correction.)

Sending a packet to 192.168.1.30 is accepted on the host even though it is sent to an interface with a different IP. This is called the weak host model.

Since this can be a security issue, I was wondering how Linux treats the routing with respect to the firewall.

How does such a packet traverse the firewall? Will it first go through the FORWARD and then the INPUT table?

Georg Schölly
  • 258
  • Does this answer your question? How iptables tables and chains are traversed – user1794469 Feb 17 '20 at 14:43
  • @A.B. Thank you, that was the missing piece of the puzzle in my head. Would you like to write that as an answer so I can accept it? – Georg Schölly Feb 20 '20 at 07:20
  • I made the question's premise be correct. But for the question itself, I think user1794469's link is fine to answer it. The schematic linked in that answer shows it clearly. – A.B Feb 20 '20 at 07:51
  • If you don't want this behaviour to happen, that's a slightly different question, is that the actual question? – A.B Feb 20 '20 at 08:26
  • @A.B. No, that would be another question (e.g. this one: https://unix.stackexchange.com/questions/258810). I was strictly wondering if a packet destined for an interface not directly connect would go twice through the firewall. (First FORWARD, then INPUT.) – Georg Schölly Feb 20 '20 at 08:38

0 Answers0